A hacking group believed to be associated with the Iranian government, identified as Peach Sandstorm (previously known as Holmium), has conducted a cyber espionage campaign targeting organizations in the satellite, defense, and pharmaceutical sectors on a global scale. Microsoft, which has been tracking the group's activities, revealed that the campaign ran from February to July and focused on infiltrating these critical industries to collect intelligence "in support of Iranian state interests."
The attackers employed a variety of tactics and techniques to gain unauthorized access to the targeted systems. One notable approach used was "password spraying," where hackers tried a single password or a list of commonly used passwords to breach accounts. Despite its apparent simplicity, password spraying is an effective technique as it increases the likelihood of success and reduces the risk of triggering automatic account lockouts.
While Microsoft did not disclose the specific countries targeted, recent attacks linked to Iranian state-backed hackers have primarily concentrated on nations like Israel, the United States, Brazil, and the United Arab Emirates.
Peach Sandstorm has a history of utilizing password spraying in its previous cyber operations, which also encompassed industries such as aerospace, defense, chemicals, and mining. Once the group successfully compromises a target, their attacks become more intricate. Microsoft observed the hackers using tools like AzureHound and Roadtools to collect information from a victim's system, access data in a target's cloud environment, and transfer specific data of interest to a single database.
Additionally, the attackers installed the Azure Arc client on compromised devices, linking them to their Azure subscription. This granted the hackers control over the targeted devices through their cloud infrastructure. The group also attempted to exploit known vulnerabilities, including one in Zoho ManageEngine, used for IT service management, and in the team collaboration tool Confluence.
To maintain access to their targets, Peach Sandstorm used AnyDesk, a commercial remote monitoring and management tool. Notably, U.S. cybersecurity authorities have warned against the misuse of such tools, as they can provide an "easy way to circumvent security systems and establish longstanding access to victim networks."
Microsoft expressed concern over the capabilities exhibited in this campaign, emphasizing that even initial access by foreign hackers can adversely impact the victims. As cyber threats continue to evolve and become more sophisticated, organizations must prioritize robust cybersecurity measures to protect their sensitive data and networks from such incursions.
In a related development, researchers recently uncovered a new backdoor tool used by suspected Iranian hackers against targets in Brazil, Israel, and the United Arab Emirates. Known as Ballistic Bobcat or Charming Kitten, this group deployed the tool to target at least 34 victims, primarily in Israel, between March 2021 and June 2022, as reported by cybersecurity company ESET. Furthermore, a recent Microsoft report highlighted that Iranian state-backed hackers are increasingly employing influence operations to amplify the impact of conventional cyberattacks and advance Tehran's political agenda in countries like Israel and the United States.
A Data Breach is a situation in which information security has failed, enabling sensitive data of any kind to be accessed by unauthorized individuals despite whatever protections were in place. Data breaches have become a particular concern in recent years because such stolen data is often subsequently distributed widely, in particular on the dark web, where it is often aggregated and sold for illicit activity, identity theft, or further cyberattacks of various kinds.